What is cybersecurity maturity model certification (CMMC) and why should you care?

By Brad Schulteis, Reginald Jackson -

iconography of award ribbon on a security badge


If your organization works with the U.S. Department of Defense — either as a prime contractor, subcontractor or supplier — you need to prepare for major changes this year. Starting in 2021, some Department of Defense (DoD) contracts will require you to not only achieve a certain level of cybersecurity, but also have it certified by a third-party assessor.

This certification program, known as Cybersecurity Maturity Model Certification (CMMC), will help ensure that everyone on a contract can keep the project’s data secure. This is a shift from how the DoD has handled cybersecurity requirements in the past, when an organization often simply needed to self-attest that they were practicing essential cybersecurity hygiene. But given that cybercrime is predicted to cost $6 trillion globally in 2021, and continues to rise, these measures are not unexpected.

So, how should you prepare? Although the DoD is still ironing out the details, you can start getting ready now by learning about the new requirements, getting to know the various certification levels and knowing who to reach out to for expert guidance.


Who will need to be CMMC-certified?

It’s estimated that more than 300,000 organizations will require assessment and certification to one of the five CMMC levels. From small businesses providing HVAC maintenance to major defense contractors working on the newest military hardware, every member of the DoD supply chain will need to address CMMC. At the same time, that doesn’t mean your entire organization needs to be compliant — just the systems, processes and people involved in fulfilling the specific contract at the CMMC level in question. This is important, as the jump from Level 1 to Level 3 requires formal documentation and implementation of 113 additional security controls. However, the DoD estimates that most contracts will only require Level 1 certification.


What are the CMMC levels?

The level of compliance needed will vary based on the scope of work. So if you take the examples above, a business providing HVAC maintenance might just need to reach CMMC Level 1, while the company working on military hardware is probably looking at CMMC Level 5 certification. Let’s take a brief look at what each level entails.

  • Level 1: Basic cyber hygiene
    Safeguarding Federal Contract Information (FCI)
    At this level, you will be implementing basic cybersecurity best practices that every business should follow — and that most suppliers have been required to follow since 2016, in accordance with FAR 52.204-21. For example, you will need to control and manage who has access to devices and data, establish strong password protections, implement firewalls, stay on top of software updates/patches and use antivirus protection. This helps protect Federal Contract Information (FCI), which is likely to be found in nearly every government contract.


  • Level 2: Intermediate cyber hygiene
    Transitioning to protecting Controlled Unclassified Information (CUI)
    In Level 2, you will need to demonstrate that cybersecurity is not just practiced, but that you are effectively documenting, managing, reviewing and optimizing your practices. In doing so, you’re preparing your organization to move ahead to Level 3.


  • Level 3: Good cyber hygiene
    Protecting CUI
    Level 3 demonstrates that you are able to protect anything the government categorizes as CUI (i.e., information that is sensitive and not for public consumption, but not officially “classified”). It shows that you haven’t just implemented and documented the required cybersecurity practices, but that you’re actively managing them as well.


  • Level 4: Proactive cybersecurity 
    Protecting CUI and reducing the risk of advanced persistent threats
    At this level, you’re taking a more proactive approach to protecting the government’s information. You will need to demonstrate that you’re able to detect and respond to advanced persistent threats and adapt to their always-changing tactics, techniques and procedures.


  • Level 5: Advanced/progressive cybersecurity
    Increasing protection of CUI and further reducing the risk of advanced persistent threats
    Level 5 requires that you take a more advanced posture of proactive scanning and mitigation of advanced persistent threats — standardizing and optimizing your processes, across your organization. While Level 4 can be more reactionary, Level 5 is more proactive.


How can my business get CMMC certified?

One of the keys to CMMC certification is the ability to break down and review your processes at every step, identify strengths and weaknesses, and develop remediation plans. If you’ve never done this before, reach out to an experienced Registered Provider Organization (RPO) who can help streamline your path to CMMC certification. The key is to reach out to an RPO early in the process, so you can avoid costly mistakes from the beginning and start with a strong foundation.

As an authorized RPO, Rackspace Technology can help you achieve your certification faster, so you can remain competitive for DoD contracts moving forward. We’re a leader in the government compliance enablement space, powering multiple FedRAMP and FISMA ATOs built on our managed service, and providing 24x7x365 hybrid-cloud management, operational support and security services as a packaged, on-demand, audited and pay-as-you-go service.

Start your CMMC journey strong. Learn more about our CMMC certification services.


Learn more about our CMMC certification services.Get started